Growing Security Operations Center (SOC) like a raised garden bed
Growing Security Operations Center (SOC) like a raised garden bed

Original article by 

Being a typical Asian, i am not very good at either lawn mowing or looking after my back garden at all. It’s one of those skill that we have never really acquired growing up in a concrete forest, and we were also never given the opportunity to deal with weed, mow a lawn etc (and if the need ever arises, labour in Asia country is typically so cheap, that such task will be outsourced to a cheap labour anyway).

Last year, for some unknown reason, i decided to do something about my backyard, not only that i spent 3-4 months sorting and maintaining my back yard, i even gone as far as putting a raised garden bed together, which became the main supply of my 5:2 diet as well as continuous supply of greens for kids pack lunch, as well as dinner at home.

Looking back, i now realize that, there are many similarities, that can be drawn between growing a SOC, as well as growing vege in a raised garden bed.

To build a highly effective SOC, typically you are going to need:

The most crucial part of SOC, is to fill it with the right type of people (which is equivalent to finding the right seed/seedling for your garden). NZ is a very small country (with only 4 million+ population), almost every single hire i have made into my team in the past, was someone new from the security arena. Below are typically the main attributes i look for from a potential candidate:

  • Passionate about security and technology (someone that’s curious about how things work, someone that’s constantly poking and testing and learning new applications, protocols, technologies, gadgets and typically have a home lab etc). You will be surprise the number of candidates that told me how they are dead keen to get into security, and many don’t have either a home lab or a VPS online that they can use for playing/testing purposes.
  •  Have the right attitude and good work ethic
  • Have personality that fits well into a team
  • Is technically sound with robust IT foundation/understanding.  <== you can see that this is listed as the lowest priority, as “Skills Can Be Taught, But Attitude is Forever”.

One of the thing i learn during the early stage of growing my own vege organically, is the importance of having the right routine. I had lots of fun making my own garlic based solution to spray to crops, to reduce the pest infestation. Some plants need to be watered daily, some every 2-3 days. This is very similar to running a mature and effective SOC. To ensure that low hanging fruits are identified and removed before the bad guys do (vulnerability management), to ensure that all security event of interests are investigated, qualified and contained in a timely and consistent manner (incident response). I cannot stress the importance of having a well defined and documented process for everything we do in SOC.

One of the reason i started enjoying many of the tasks to look after my back garden, was due to the fact that i have since purchased quite a few different power tools (in fact, i now own every single one of Ryobi’s One+ outdoor gardening range of tools – refer to for those of you not familiar with their product). Having access to the right tools just make all the daunting gardening tasks so much bearable.

This in reality is very much the same for SOC. I can still remember how i got into Perl scripting 10+ years ago, when i had to come up with a way to monitor and analyse million of lines of firewall logs, to try to identify anomalies. Nowadays with tools such as SIEM, IDS etc, many of the basic security monitoring function can be performed by junior security analysts reasonably easily (with defined criteria when certain EOI need to be escalated etc).

If you do decide that building your own SOC align to your business goal, or you want one because everybody else has got one, be aware of some of the challenges you are very likely to encounter:

  • Huge lack of security subject matter experts in the market. Once you start looking, you will start to realize how hard it is to find someone with the right skill and experience (especially in NZ). Either you have to pay above market rate, or you have to consider bringing in resources from other domains, and train and mould them into what you need (which is both a lengthy and expensive process).
  • Blind leading the blind. If you decide to fill your SOC by hiring someone from other domain (e.g. graduate, or someone from sys admin background etc) because of shortage of security professionals, make sure you start by employing a strong SOC manager (or technical lead) that actually know what security management is all about. Or else all you are going to end up with, is a glorified NOC that does smoke and mirror (refer to
  • Staff retention. If you are lucky enough, and have a strong security manager/team lead, and have a great team of SOC analysts, be prepared, someone will very likely come and snap them off you (by offering more money etc). If you think you offer good money, you will be surprise how desperate the market is, and how someone is always willing to offer more. Before you decide to put all the effort and money into building your own SOC, think about Staff retention strategy first. Or else all you are doing is to be the breeding ground for the market.

Building SOC is hard work, and hence make sure you have a clear vision what you intend to get out of it before you make the move, work out exactly how that fits into your overall business goals too. Using the same growing your own raised garden analogy, if you own a restaurant, and have a need for organic veges, ask yourself whether it make sense to put your own raised garden bed together, so you can supply your own organic veges? Or is it easier to just buy it off wholesale vege market (at a good price etc).

There’s obviously no right or wrong answer to the question, it all comes down to, how does it fit into your overall business plan. 🙂

For those of you that work in security that are considering moving to New Zealand, i strongly encourage you to connect with me, and find out more about what we do, what the country is like etc. Being an immigrant myself, moving to NZ is probably one of the best life decision ever.